By Simon Moores, 27 February 2008 13:18
COMMENT
The threat of terrorism is soaking up funds badly needed to combat cyber crime. So how big does the problem have to become before governments act, asks Simon Moores.
"Is it safe?" The famous line from the film Marathon Man is a singularly appropriate question for today's dangerously joined-up world.
The internet is certainly not safe. The statistics may show the risk of crime is decreasing in some areas because of new technical measures and policies.
But elsewhere, under the extreme pressures of criminal interests, new leaks are appearing in the collective firewall. They may become a flood if not tackled quickly.
That growing influence of serious and organised crime in cyberspace is the focus of representatives from business, finance, government and law enforcement agencies at next week's sixth international e-Crime Congress in London.
New exclusive:
The Naked CIO
Who can you trust with your personal data?
This year even shadow home secretary David Davis will be joining the directors of the FBI, US Secret Service, Nato and the likes of PayPal, Lloyds TSB and Unilever to reflect on a shared problem that threatens the world's most advanced economies.
Over the past 12 months, leading UK banks such as Barclays have been successful in reducing online fraud. Yet corporate losses from computer crime have reportedly doubled and the incidence of identity theft among the broader population continues to rise dramatically. Criminals are increasingly targeting individuals in cases of financial fraud rather than businesses.
Companies have been developing their security counter-measures to deal with the more common, asymmetric mass attacks launched through spam, phishing, botnets, denial of service and all manner of other exploits.
But at the same time, organised crime groups have also been busy. The resulting refinements in criminal techniques have led to the appearance of new tools for launching under-the-radar targeted attacks on individuals and organisations. These attacks are neither broadly distributed nor unique in nature and display much improved social engineering tactics.
Identity theft and sloppy data management are a significant and steadily growing problem. There is the regular loss of confidential personal data by large companies and government agencies, such as HMRC, or, at the more sophisticated end of the spectrum, advanced identity theft from persistent bots and new exploits that seek to compromise home routers.
Compromised bot networks of personal computers continue to make headlines in greater numbers and with increasing sophistication and effectiveness.
This month in the US one hacker pleaded guilty to creating a network of more than 400,000 computers, which included those belonging to the country's Defense Information Systems Agency.
In April 2007 Estonia, the former Soviet Baltic republic was paralysed by an unprecedented online attack from networks in Russia. Estonian MP Silver Meikar, a member of the country's defence committee, will be describing this attack at the e-Crime Congress.
Earlier this month, silicon.com reported Russia has now passed China to become the largest generator of spyware and malicious code and in terms of the source of criminal exploits.
But Russia and China are not the only problem. IBM's X-Force reports that America and Germany were the only two countries consistently among the top three hosting sources for each classification of unwanted internet content monitored throughout 2007.
America far outpaces other countries as the primary hosting source of adult, socially deviant and criminal content on the internet.
The threat of international and domestic terrorism sucks funds away from the fight against e-crime.
The urgent question we need to answer - whether at conference, government, business or law-enforcement level - is does any effective counter-measure exist to challenge the organised crime interests that are threatening the trade routes of the internet much as the pirates of the Caribbean once did to marine commerce?
Without doubt every country requires more resources. Furthermore the government must treat this problem more seriously. I'm not convinced this will ever happen until the problem becomes too large to ignore.
Pandora's box has been opened and no single country is strong enough to close it. It's analogous to the debate on tighter European immigration and border controls.
The internet is as open and porous as the borders of Europe and legislation is only as strong as the will and resources of the poorest country. And without the co-operation of Russia and China any anti-cyber crime proposal remains of academic interest only.
So what can we do to fight the threat? Perhaps buy shares in information security companies because business and finance is largely on its own, as is the man in the street.
There must be a truly joined-up and international initiative to tackle the growing problem of organised crime online, involving significant funding, resources, legislation and most of all will at every level.
Without that initiative we shall have to accept that millions of people and businesses will be robbed and duped and conned as an integral benefit of the internet's total cost of ownership.
After all, if the FBI only has a team of 100 officers to deal with all cyber crime offences and Interpol has perhaps only three for Europe, the Middle East and Africa, the level of priority and the scale of the challenge now facing our joined-up and interdependent economies becomes depressingly clear.
Comments
There are 3 comments. Join the discussion
1. Mark Hosey
European standards and regulations, though occasionally absurd, are designed to ensure consumers are protected from a variety of commonly perceived dangers. Security products such as locks and catches and those that supply and fit them must meet these standards in all respects. Intruder and fire alarm equipment must also meet standards to ensure alarm systems respond and function correctly at the appropriate time and that they are immune to deliberate attack and accidental damage. Manufacturers and suppliers of these products guarantee their customers a defined level of security and have a duty of care to their customers for the products and services they provide.
So why is this not true of ISPs, web sites and software? After all, an ISP is a front door on your house which if not secure leaves you and your family vulnerable to the activities of a growing number of unscrupulous organisations and individuals. Web sites are often in the news as a result of sensitive or classified information having been accessed and down loaded with apparent ease. And software bugs are often reported that provide hackers with the means to illicitly gain access to your PC.
(continued in next post)
2. Mark Hosey
(Continued from last post)
I believe the only way we can ensure our security is to make the suppliers of internet services and software liable for security breaches which occur as a result of insecurities inherent in any products they supply. European standards are urgently required to force ISPs to live up to a duty of care they owe their customers, to protect them from criminal and malicious activity perpetrated via their servers. I believe a range of security standards must be applied to corporate web sites with the aim of ensuring their immunity to perceived threats and known methods of attack. I also believe European software standards, proscribing known bad practice in the creation of software products, must be set aiming to make them secure from and immune to criminal and malicious activity.
In all instances products and services should be obliged to undergo some minimum level of measurable and verifiable product testing, formal or otherwise, to ensure they meet appropriate standards.
3. Simon Moores
It's an interesting suggestion: "I believe the only way we can ensure our security is to make the suppliers of internet services and software liable for security breaches which occur as a result of insecurities inherent in any products they supply. "
However, the security industry is worth around $20 billion and while agree, that the responsibility should lie away from the consumer and customer, I really can't see the powerful business IT lobby that dominates politics in the United States conceding that the remedy lies withthem.
Europe may be a different matter but that could take decades.
The truth is perhaps an unpleasant one. the IT Security industry and the online criminal fraternity are the major beneficiaries of fundamental weaknesses in the internet and PC software paradigm and if someone discovered a perfect solution to the problem, the anti-trist lawyers in the United States would never let it go to market; rather like the notion of turning water into cheap energy or the eternal light bulb!